At a glance.
- Moncler discloses data breach.
- Ransomware in the public and not-for-profit sectors.
- Vulnerability trends.
- Pegasus update.
The price of fashion.
Italian luxury fashion brand Moncler has disclosed they suffered a cyberattack at the hands of the AlphV/BlackCat ransomware operation in December. The company states that they “received a ransom demand that has been rejected, firmly believing the request to be against its founding principles.” Now the threat group has leaked stolen data related to current and former employees, suppliers, consultants, business partners, and customers, offering it for sale to other threat actors. Moncler told Bleeping Computer, “With regard to information linked to customers, the company informs that no data relating to credit cards or other means of payment have been exfiltrated, as the company does not store such data on its systems.” The company has notified stakeholders and the Italian Data Protection Authority of the incident.
Kim DeCarlis, CMO at cybersecurity company PerimeterX, sees breaches as a familiar part of the attack cycle:
“Data breaches are part of the web attack lifecycle and continue to fuel Account Takeover (ATO) and credential stuffing attacks. Therefore, we need to protect the apps that power our daily lives by disrupting the web attack lifecycle. This includes stopping the theft, validation and fraudulent use of account and identity information everywhere along the digital journey.”
Trevor Morgan, product manager with comforte AG, regards the attack as representing a foreseeable if lamentable trend :
“The trend toward an increasing number of ransomware attacks against high-profile targets in 2022 seems to be moving in the direction that many of us suspected. With news that the Italian luxury fashion giant Moncler sustained an attack late last year resulting in stolen files hitting the dark web this week, we can see the organizational characteristics which appeal to threat actors: if your business collects lots of (sensitive) data about employees, partners, or customers, then you are sitting on a gold mine (or oil well, just choose your analogy) that they want to infiltrate. Sure, they want that sensitive information, with which they can do any number of things, but if they can also disrupt business operations with ransomware or other extortion tricks, they multiply their chances of a successful attack.
"If your business is data-dependent, and which one isn’t in this day and age, then you need to assume that you too are a target and it’s just a matter of time before somebody internal or external gets hands on it. Squirreling sensitive data away behind protected perimeters won’t cut it anymore as a defensive measure. Only robust data-centric security, such as tokenization or format-preserving encryption applied directly to sensitive data elements, can help mitigate the situation if the wrong hands get ahold of your data. These methods obfuscate sensitive information while still preserving the original data format, which means business applications have a better chance of working with that data in a protected state. No need for de-protecting data just to work with it internally, which is a valuable best practice to uphold. While you may think it’s a luxury to invest into proactive data protection measures such as this, the alternative is the option you really can’t afford.”
Public sector ransomware report from Emsisoft.
A new report released by Emsisoft reveals that over twenty-three hundred local US governments, schools, and healthcare organizations were impacted by ransomware attacks in 2021, and over one hundred of the attacks led to the exposure of sensitive data. Though the numbers are daunting, local governments actually saw a decrease in attacks compared to 2020 and 2019, and attackers focused on smaller counties and towns. As for schools, there was a small increase in attacks in 2021, with a great number of districts impacted but a smaller number of individual schools. The number of individual healthcare sites more than doubled, from 560 in 2020 to over twelve hundred last year. Emsisoft’s Brett Callow told ZDNet the numbers indicate not enough is being done to prevent attacks in the public sector, at least not for smaller organizations. He explained, “As noted in the report, the size of victim organizations seems to have decreased, possibly indicating that bigger organizations have used their bigger budgets to rectify their security shortcomings. While that would obviously be a good thing, it would still mean that ways would need to be found to help smaller organizations get to where they need to be."
Bugcrowd report shows vulnerability trends.
Bug bounty platform Bugcrowd’s latest vulnerability report shows that accidental exposure of sensitive data drastically increased in 2021. (It’s worth noting that the report, which ranked vulnerability types based on frequency of reports from the platform’s users, did not include the Log4j bug as the reporting data only ran through the third quarter of the year.) Accidental sensitive data exposures rose from the number nine position in 2020 to number three this year. Bugcrowd founder and chief technology officer Casey Ellis told VentureBeat that the increase can be attributed to the pandemic. “COVID basically forced the entire planet to do a whole bunch of unnatural stuff, really quickly, when it came to technology,” he stated. The top two vulnerabilities in the report were cross-site scripting, which can allow threat actors to send malicious code to end users of a web application, and insecure direct object references, which involves the use of access permissions to abuse the system.
Update on Pegasus spyware abuse in Israel.
CTECH reports that Israeli police have allegedly used Pegasus surveillance software to spy on Israeli citizens including mayors, opponents of former Prime Minister Benjamin Netanyahu, and former government employees since 2015. As NPR notes, the report marks the first instance of Israeli officials using the controversial spyware. Israeli police admit they use legal cybersurveillance tools in investigations, but have not confirmed or denied the use of Pegasus.